Virustotal expands AI security scans to AutoHotkey and other scripts
Google launched VirusTotal Code Insight in April 2023 to expand the functionality of its malware detection and analysis platform. Up until now, VirusTotal could tell its users whether antivirus engines considered a file malicious, but it could not really tell users why.
The introduction of Code Insight changed that. The feature analyses the code of a script and reveals its findings to a user. These findings may explain exactly what the malware does. The initial version was limited to PowerShell scripts, which limited its use significantly.
Google published an updated version of VirusTotal Code Insight this week that expands the supported script types. VirusTotal lists .bat, .cmd, .sh and .vbs file types specifically. Bleeping Computer discovered that AutoHotkey and Python scripts are also supported, even though they were not mentioned in the announcement.
The AI-powered code analysis feature supports the following formats now:
- Microsoft PowerShell scripts (ps)
- Batch files (bat)
- Command Prompt scripts (cmd)
- Shell scripts (sh)
- VBScript (vbs)
- AutoHotkey scripts (ahk)
- Python scripts (py)
The file size limit for scripts processed by Code Insight has been doubled with the update as well. The service plans to increase limits further in the future as work on improving the functionality continues.
VirusTotal notes that model improvements have been implemented to offer "more concise and high-level explanations" that focus on code behavior.
Existing users may notice that the interface of the Code Insight feature has been redesigned to only display the first sentence of the AI's report by default.
The feature is in active development at this stage and should be considered beta. VirusTotal has plans to improve it in the coming months by adding support for additional file formats, support larger file sizes, and support the analysis of executable file types such as .exe.
The team plans to provide more context to the analysis, for instance by giving the AI access to "any metadata related to the URLs and files linked in the code snippet".
Closing Words
Code Insight is an interesting feature as it helps security researchers and also other users analyze the behavior of scripts. Its use will grow when support for additional file types, especially executable files, is added to the service.
While it is still a good idea to scan files with one or multiple antivirus engines, VirusTotal's Code Insight feature may give users a better understanding of the actual dangers of a file.
Now You: do you use VirusTotal?
packing AHP selfxecute scripts with a binary packer autoflags them as malware .. room for improvement..
ps1, not ps, but I don’t see any mention that anything PowerShell is new.
The virus total saved me many times. I love to install legacy apps, and many of them (including newer apps) had an bunch of vunerabilities and some even was harmful. So I love to use it.
Also, the 650mb max file size is enough for the most suspicious programs.
“Now You: do you use VirusTotal?”
Given my privacy policies which include avoiding/blocking Google servers, I don’t use VirusTotal.
At this time I check files with ‘Jotti’s malware scan’ [https://virusscan.jotti.org/] :
“Jotti’s malware scan is a free service that lets you scan suspicious files with several anti-virus programs. You can submit up to 5 files at the same time. There is a 250MB limit per file. Please be aware that no security solution offers 100% protection, not even when it uses several anti-virus engines. All files are shared with anti-virus companies so detection accuracy of their anti-virus products can be improved.”